[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue 163: Document how to support out of band encryption keyknown to both parties
Issue 163 I recorded this issue as 163 after the last call pointing to one of the mails below. I will update the description of the issue and update the link to point to this message in the next update. Thanks Rich. -----Original Message----- From: Rich Levinson [mailto:rich.levinson@oracle.com] Sent: Wednesday, February 06, 2008 7:34 PM To: ws-sx@lists.oasis-open.org Cc: Marc Goodner Subject: NEW Issue: Document how to support out of band encryption key known to both parties PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSION THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER. The issues coordinators will notify the list when that has occurred. Protocol: ws-sx examples 17-07 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.pdf ws-sp 1.2 http://www.oasis-open.org/committees/download.php/26176/ws-sp-usecases-examples-draft-17-07.doc Artifact: spec / policy Type: editorial Title: Document how to support out of band encryption key known to both parties Description: These emails describe the problem in detail: http://lists.oasis-open.org/archives/ws-sx/200712/msg00027.html http://lists.oasis-open.org/archives/ws-sx/200801/msg00000.html http://lists.oasis-open.org/archives/ws-sx/200801/msg00001.html http://lists.oasis-open.org/archives/ws-sx/200801/msg00010.html http://lists.oasis-open.org/archives/ws-sx/200801/msg00011.html The basic problem is that there is a sample use case for WS-Security in one of the WS-Security interop documents: http://www.oasis-open.org/committees/download.php/11375/wss-interop2-draft-06-merged.doc see Chapter 3: "Scenario #4 Session Key". It is not clear to the author of the 1st email how to use ws-sp to model that use case. The follow-on emails suggest one, and possibly two ways to do it. The author agreed to the suggested resolutions and suggested that the resolution be documented for future reference. http://lists.oasis-open.org/archives/ws-sx/200801/msg00010.html This issue is raised against the ws-sx examples doc as a place where one of the examples could be modified to show an option which documents the suggested resolution. The issue is also raised against ws-sp spec, because it has been suggested in TC mtg (Hal) that possibly the custom URI suggested by the author of the original issue Related issues: None Proposed Resolution: I suggest updating examples doc: In section 2.2.2 of that document is a use case called "(WSS1.0) Mutual Authentication with X.509 Certificates, Sign, Encrypt". This example could be readily modified to explain how to do the case described in the emails above as well. I am not sure about updating the ws-sp spec as Hal suggested be considered. If we were to update it, we could possibly put some explanatory text in section 5.4.2, where it already mentions that "This assertion is used in 3rd party scenarios. For example, the initiator may need to request a SAML token from a given token issuer in order to secure messages sent to the recipient." But it goes no further in the description of 3rd party scenarios. Imo, the example above with the out of band encryption key is functionally equivalent to a token supplied by a 3rd party, where the IssuedToken assertion mechanism is used to identify the Issuer and carry the Token but does not actively engage in how that token is used except by whatever implicit context the IssuedToken itself is used. Therefore my inclination is to not document this in the ws-sp spec, or, if so, by only indicating with a brief phrase something like "out of band shared encryption keys are an example of how an IssuedToken might be put to use."
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]